RFR: 8320971: Use BufferedInputStream.buf directly when param of implTransferTo() is trusted
jmehrens
duke at openjdk.org
Thu Nov 30 04:35:05 UTC 2023
On Wed, 29 Nov 2023 22:38:59 GMT, Markus KARG <duke at openjdk.org> wrote:
>> src/java.base/share/classes/java/io/BufferedInputStream.java line 647:
>>
>>> 645: if (avail > 0) {
>>> 646: // trust all OutputStreams from java.io
>>> 647: if (out.getClass().getPackageName() == BufferedInputStream.class.getPackageName()) {
>>
>> I don't think Class::getPackageName documents that the returned String is intern so I wonder if the == check will lead to questions and suggestions of a bug. Classes with names starting with "java." can only be defined to the boot or platform class loader (details in the ClassLoader API docs) so you could just check if the package name equals "java.io".
>
> Do we only want to trust java.io or anything starting with java.*?
I don't think checking if the package is java.io is secure:
ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
BufferedInputStream bis = new BufferedInputStream(bais);
UntrustedOutputStream uos = new UntrustedOutputStream();
bis.transferTo(new java.io.DataOutputStream(uos));
You have to know that it is in the java.io package and it doesn't wrap another stream.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/16879#discussion_r1410142200
More information about the core-libs-dev
mailing list